From 47e92c4da5e8bdbec2016fbad7921656e9722e96 Mon Sep 17 00:00:00 2001
From: Graham Hayes <graham.hayes@hp.com>
Date: Mon, 21 Jul 2014 17:03:01 +0100
Subject: [PATCH] Added policy checking for all all_tenent=True contexts

Change-Id: I6cc23ce083a7758efa9d34719ac89dfb135a4a42
---
 designate.sublime-project       |  3 ++-
 designate/api/middleware.py     |  4 ----
 designate/api/service.py        |  3 ---
 designate/central/service.py    |  6 ++----
 designate/context.py            | 15 +++++++++++++++
 designate/service.py            |  3 +++
 designate/tests/test_context.py | 17 +++++++++++++++++
 7 files changed, 39 insertions(+), 12 deletions(-)

diff --git a/designate.sublime-project b/designate.sublime-project
index 1f354114c..32b53a7bb 100644
--- a/designate.sublime-project
+++ b/designate.sublime-project
@@ -38,7 +38,8 @@
                 ".venv",
                 ".testrepository",
                 "doc/build",
-                "doc/source/api"
+                "doc/source/api",
+                "build"
             ],
             "path": "."
         }
diff --git a/designate/api/middleware.py b/designate/api/middleware.py
index 715958c83..e2b63b15e 100644
--- a/designate/api/middleware.py
+++ b/designate/api/middleware.py
@@ -22,7 +22,6 @@ from designate import exceptions
 from designate import notifications
 from designate import wsgi
 from designate import context
-from designate import policy
 from designate.openstack.common import jsonutils as json
 from designate.openstack.common import log as logging
 from designate.openstack.common import strutils
@@ -71,15 +70,12 @@ class ContextMiddleware(wsgi.Middleware):
         params = request.params
 
         if headers.get('X-Auth-All-Projects'):
-            policy.check('all_tenants', ctxt)
             ctxt.all_tenants = \
                 strutils.bool_from_string(headers.get('X-Auth-All-Projects'))
         elif 'all_projects' in params:
-            policy.check('all_tenants', ctxt)
             ctxt.all_tenants = \
                 strutils.bool_from_string(params['all_projects'])
         elif 'all_tenants' in params:
-            policy.check('all_tenants', ctxt)
             ctxt.all_tenants = \
                 strutils.bool_from_string(params['all_tenants'])
         else:
diff --git a/designate/api/service.py b/designate/api/service.py
index e69a2f452..a175af4e8 100644
--- a/designate/api/service.py
+++ b/designate/api/service.py
@@ -21,7 +21,6 @@ from designate.i18n import _LI
 from designate.openstack.deprecated import wsgi
 from designate import exceptions
 from designate import utils
-from designate import policy
 
 
 LOG = logging.getLogger(__name__)
@@ -39,8 +38,6 @@ class Service(wsgi.Service):
 
         LOG.info(_LI('Using api-paste-config found at: %s') % config_paths[0])
 
-        policy.init()
-
         application = deploy.loadapp("config:%s" % config_paths[0],
                                      name='osapi_dns')
 
diff --git a/designate/central/service.py b/designate/central/service.py
index 8b6e8a3ce..d94e33a1e 100644
--- a/designate/central/service.py
+++ b/designate/central/service.py
@@ -80,8 +80,6 @@ class Service(service.Service):
         backend_driver = cfg.CONF['service:central'].backend_driver
         self.backend = backend.get_backend(backend_driver, self)
 
-        policy.init()
-
         # Get a storage connection
         storage_driver = cfg.CONF['service:central'].storage_driver
         self.storage = storage.get_storage(storage_driver)
@@ -1416,8 +1414,8 @@ class Service(service.Service):
         except exceptions.DomainNotFound:
             msg = _LI('Creating zone for %(fip_id)s:%(region)s - '
                       '%(fip_addr)s zone %(zonename)s') % \
-                  {'fip_id': floatingip_id, 'region': region,
-                   'fip_addr': fip['address'], 'zonename': zone_name}
+                    {'fip_id': floatingip_id, 'region': region,
+                    'fip_addr': fip['address'], 'zonename': zone_name}
             LOG.info(msg)
 
             email = cfg.CONF['service:central'].managed_resource_email
diff --git a/designate/context.py b/designate/context.py
index 8754a4905..e54482aa3 100644
--- a/designate/context.py
+++ b/designate/context.py
@@ -19,12 +19,16 @@ import copy
 from designate.openstack.common import context
 from designate.openstack.common import local
 from designate.openstack.common import log as logging
+from designate import policy
 
 
 LOG = logging.getLogger(__name__)
 
 
 class DesignateContext(context.RequestContext):
+
+    _all_tenants = False
+
     def __init__(self, auth_token=None, user=None, tenant=None, domain=None,
                  user_domain=None, project_domain=None, is_admin=False,
                  read_only=False, show_deleted=False, request_id=None,
@@ -49,6 +53,7 @@ class DesignateContext(context.RequestContext):
 
         self.roles = roles
         self.service_catalog = service_catalog
+
         self.all_tenants = all_tenants
 
         if not hasattr(local.store, 'context'):
@@ -112,3 +117,13 @@ class DesignateContext(context.RequestContext):
                 return arg
 
         return None
+
+    @property
+    def all_tenants(self):
+        return self._all_tenants
+
+    @all_tenants.setter
+    def all_tenants(self, value):
+        if value:
+            policy.check('all_tenants', self)
+        self._all_tenants = value
diff --git a/designate/service.py b/designate/service.py
index d13eb366b..664002395 100644
--- a/designate/service.py
+++ b/designate/service.py
@@ -24,6 +24,7 @@ from designate.openstack.common import service
 from designate.openstack.common import log as logging
 from designate.i18n import _
 from designate import rpc
+from designate import policy
 from designate import version
 
 
@@ -50,6 +51,8 @@ class Service(service.Service):
         self.topic = topic
         self.service_name = service_name
 
+        policy.init()
+
         # TODO(ekarlso): change this to be loadable via mod import or
         # stevedore?
         self.endpoints = endpoints or [self]
diff --git a/designate/tests/test_context.py b/designate/tests/test_context.py
index 2a1b8b494..957480d9f 100644
--- a/designate/tests/test_context.py
+++ b/designate/tests/test_context.py
@@ -13,8 +13,11 @@
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
+import testtools
+
 from designate.tests import TestCase
 from designate import context
+from designate import exceptions
 from designate.openstack.common import log as logging
 
 LOG = logging.getLogger(__name__)
@@ -34,3 +37,17 @@ class TestDesignateContext(TestCase):
         self.assertFalse(ctxt.is_admin)
         self.assertTrue(admin_ctxt.is_admin)
         self.assertEqual(0, len(ctxt.roles))
+
+    def test_all_tenants(self):
+        ctxt = context.DesignateContext(user='12345', tenant='54321')
+        admin_ctxt = ctxt.elevated()
+
+        admin_ctxt.all_tenants = True
+        self.assertFalse(ctxt.is_admin)
+        self.assertTrue(admin_ctxt.is_admin)
+        self.assertTrue(admin_ctxt.all_tenants)
+
+    def test_all_tenants_policy_failure(self):
+        ctxt = context.DesignateContext(user='12345', tenant='54321')
+        with testtools.ExpectedException(exceptions.Forbidden):
+            ctxt.all_tenants = True